On 20 March 2021, the Philippine National Privacy Commission (NPC) answered a new batch of frequently asked questions regarding eRehistro, specifically with regard to the commission’s validation process, user credentials and the certificate of registration.
For previous responses from the NPC on this topic, check out our earlier client alert here.
While we continue to await the issuance of the formal guidelines by the NPC regarding the eRehistro system, we recommend that personal information controllers (PICs) and personal information processors (PIPs) keep themselves updated by monitoring developments shared by the NPC through both its social media channels and official website. Our firm continues to closely monitor this compliance matter and we will provide more updates in due course.
In more detail
After creating an eRehistro account, PICs and PIPs may proceed to upload their documentary requirements1 using the online system in order to complete the application process. The NPC will then validate the application and determine the completeness and correctness of the submission. Thereafter, the commission will notify the PIC or PIP, through the latter’s registered email address, regarding the status of its application, specifically whether it is already “For Approval” or is “Invalid.”
If the NPC finds the PIC or PIP’s application to be complete and accurate, the eRehistro system will send a notification stating that the application has been approved. The NPC will then issue the certificate of registration within seven (7) days.
In case the NPC finds the application to be incomplete and/or inaccurate, the PIC or PIP will receive a notification to this effect, and shall be provided an opportunity to re-submit or complete the required documents for registration.
Registered email address
The NPC recommends using an official or business email address when creating an eRehistro account in order to ensure access by PICs and PIPs.
Effects of registration
The issuance of a certificate of registration by the NPC does not automatically mean that the PIC or PIP is fully compliant with the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the NPC, as the registration of both Data Protection Officers and Data Processing Systems is only one of several other compliance points under the law. Hence, despite receiving the certificate of registration, PICs and PIPs are still required to comply with all other data privacy-related requirements which include, among others, upholding the rights of data subjects, ensuring the security of personal data during processing, and adhering to the general data privacy principles of proportionality, transparency and legitimate purpose.
1 To know more about the documentary requirements that need to be uploaded to eRehistro, please refer to our earlier client alert here.